What American companies can learn from Europe's new GDPR laws

People around the world have recently started to receive tons of emails from companies updating their privacy policies. Naturally, many ask, why this is happening, and the ones with a deeper understanding of the process mutter a four-letter combination - GDPR. While an astounding part of the US Senate appears to be confused about the concept of Net Neutrality, Europe’s-own GDPR is an example of how to keep the internet safe from exploitation and ensure people’s rights to their privacy.

Europe's General Data Protection Regulation (GDPR) became enforceable in countries of the European Union on 25 May 2018, and American internet giants, such as Google, Facebook, and others providing services in the EU, are currently investing millions to comply with the new regulations. And there are some important things to learn from this.

What is GDPR?

GDPR is a 261 page long set of documents which will allegedly bring the most significant changes to European data security in 20 years.

The central premise of the regulation is that consumers should oversee their personal data. Upon the implementation of the GDPR Europeans will gain more access to the information which companies hold on them: correct it, ask 'to be forgotten', and even prevent it from being shared with third parties. Also, GDPR requires marketers to be more transparent. For instance, GDPR states that customers’ opt-in consent can't be a condition of service or pre-checked boxes. Moreover, if customers’ sensitive data was affected during a cyber-attack, firms must notify them directly.

It may seem that American companies don't have to worry about what's going on 'across the Pond,' but if they collect personal data or behavioral information from citizens of the EU countries, they are subjects to the requirements of the GDPR.
This means that if Facebook, Google or other companies providing services in the EU fail to put their houses in order, they could face fines as high as 20 million euros.

Privacy is a much more sensitive case in Europe. Collective memories of Nazi or Soviet eras resulted in EU's Charter of Fundamental Rights, where Article 8 states: 'Everyone has the right to the protection of personal data.' So, it comes as no surprise that GDPR is mostly based on this document.

At the same time, personal data is not explicitly protected under the U. S. Constitution. And there aren't data-protection laws in the U. S. Although, there have been efforts to put some clarity in this field, they slowly died in Congress. An exception might be lawmakers in California. They claim to have a plan to establish a data protection authority to regulate how big tech companies use Californians' personal data. However, the faith of the law is yet unclear.

If you're American, every time you log in to your social media (Facebook, Google, Instagram or Twitter) accounts, your privacy is in the hands of those companies, and appropriate use of it is not legally regulated. The scandal of Cambridge Analytica is a perfect example of what lack of regulation can do with companies willing to exploit people’s data.

Nevertheless, most Americans care about their digital privacy. A recent poll concluded, 55% of Americans are concerned that the government won't do enough to regulate how U.S. technology companies operate. In 3 months the concerns have grown by 15 percentage points.

This trend is vividly illustrated by a rocketing number of VPN customers and growing amounts of freshly established privacy providers, such as Surfshark, etc. This suggests that people begin to understand that while authorities and internet companies do the opposite of data protection, they should do it ourselves.